docs: update progress — server fully ready (44/44 checks pass)

- Mark all server-side tasks as complete (fail2ban, Flower password,
  unattended-upgrades, verification script)
- Correct memory limits: celery-beat and flower bumped to 256m after OOM
- Update scaling guide memory budget to match actual limits

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs/deployment/hetzner-server-setup.md

@@ -132,21 +132,19 @@ Complete step-by-step guide for deploying Orion on a Hetzner Cloud VPS.
 
     **Steps 1–24 fully deployed and operational.**
 
-!!! success "Progress — 2026-02-16 (continued)"
+!!! success "Progress — 2026-02-17"
-    **Launch readiness — code changes:**
+    **Launch readiness — fully deployed and verified (44/44 checks pass):**
 
-    - **Memory limits** added to all 6 app containers in `docker-compose.yml` (db: 512m, redis: 128m, api: 512m, celery-worker: 512m, celery-beat: 128m, flower: 128m)
+    - **Memory limits** on all 6 app containers (db: 512m, redis: 128m, api: 512m, celery-worker: 512m, celery-beat: 256m, flower: 256m) — beat/flower bumped from 128m after OOM kills
     - **Flower port** restricted to localhost only (`127.0.0.1:5555:5555`) — access via Caddy reverse proxy
+    - **Flower password** changed from default
     - **Infrastructure health checks** — `/health/ready` now checks PostgreSQL (`SELECT 1`) and Redis (`ping`) with individual check details and latency
-    - **Scaling guide** — practical playbook at `docs/deployment/scaling-guide.md` (metrics, thresholds, Hetzner pricing, timeline)
+    - **fail2ban Caddy auth jail** deployed — bans IPs after 10 failed auth attempts
-    - **Server verification script** — `scripts/verify-server.sh` checks all 12 infrastructure components
+    - **Unattended upgrades** verified active
+    - **Scaling guide** — practical playbook at `docs/deployment/scaling-guide.md`
+    - **Server verification script** — `scripts/verify-server.sh` (44/44 PASS, 0 FAIL, 0 WARN)
 
-    **Pending server-side tasks:**
+    **Server is launch-ready for first client (24 stores).**
-
-    - [ ] Deploy fail2ban Caddy auth jail (documented in Step 20, config ready but not yet applied)
-    - [ ] Change Flower password from default (`FLOWER_PASSWORD` in `.env`)
-    - [ ] Verify unattended-upgrades is active (`sudo unattended-upgrades --dry-run`)
-    - [ ] Run `scripts/verify-server.sh` on server to validate all infrastructure
 
 
 ## Installed Software Versions

docs/deployment/scaling-guide.md

@@ -22,17 +22,17 @@ Practical playbook for scaling Orion from a single CAX11 server to a multi-serve
 | redis | 128 MB | Task broker + cache |
 | api | 512 MB | FastAPI (Uvicorn) |
 | celery-worker | 512 MB | Background tasks |
-| celery-beat | 128 MB | Task scheduler |
+| celery-beat | 256 MB | Task scheduler |
-| flower | 128 MB | Celery monitoring |
+| flower | 256 MB | Celery monitoring |
-| **App subtotal** | **1,920 MB** | |
+| **App subtotal** | **2,176 MB** | |
 | prometheus | 256 MB | Metrics (15-day retention) |
 | grafana | 192 MB | Dashboards |
 | node-exporter | 64 MB | Host metrics |
 | cadvisor | 128 MB | Container metrics |
 | alertmanager | 32 MB | Alert routing |
 | **Monitoring subtotal** | **672 MB** | |
-| **Total containers** | **2,592 MB** | |
+| **Total containers** | **2,848 MB** | |
-| OS + Caddy + Gitea + CI | ~1,400 MB | Remaining headroom |
+| OS + Caddy + Gitea + CI | ~1,150 MB | Remaining headroom |
 
 ---